Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1439
  • Last Modified:

How to remove the Happili "virus"

Hi there,

Over the past few days my google searches have started to be directed to the Happili website.  I was concerned that this was a virus, but see no mention of it by the various anti-virus providers, not have multiple scans fixed the issue.

One post I did see suggested that it was not a virus, but had changed the proxy settings in my web browser.  

Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

Indeed, my Firefox browser did have a proxy selected.

My question is...Does anyone know if Happili really is a virus?  How can I be sure I am safe?

Thanks!
0
billelev
Asked:
billelev
  • 15
  • 12
  • 2
  • +1
1 Solution
 
jacobstewartCommented:
Download DDS here http://download.bleepingcomputer.com/sUBs/dds.scr 

Double click the dds icon to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt <--- will be minimized in the task tray
Save both reports to your desktop.
Include the contents of both logs in your next post.
0
 
billelevAuthor Commented:
Thanks, jacobstewart.  Files attached.
Attach.txt
DDS.txt
0
 
TymetwisterCommented:
You said you have tried multiple scans, but with which software? When something changes the proxy settings so that it doesn't connect, most times it's some type of malware. Try running a program such as Malwarebytes (again not sure which programs you've run) and also go into your Control Panel Add/Remove Programs or Uninstall programs and uninstall any suspicious programs. Finally please run msconfig from the run line, choose selective startup, and disable any startup items that look suspicious, as well as under the services tab when you disable all microsoft services. Hope this helps.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
billelevAuthor Commented:
Yes, I had already run Malwarebytes, McAfee and 2 or 3 other similar virus scanners (Anvisoft, Norton etc.).  I re-ran Malwarebytes and nothing came up again.  Nothing looked suspicious under msconfig (although that is obviously subjective).
0
 
TymetwisterCommented:
Anything suspicious in the control panel under installed programs?
0
 
Russell_VenableCommented:
You should follow the directions here and post your results.

Main rule of thumb is to kill any rogue processes that the rootkit has run after installing and kill the rootkit that is installed.
0
 
billelevAuthor Commented:
no, nothing suspicious
0
 
Russell_VenableCommented:
Nothing suspicious as in you have visually inspected or as in I have scanned my machine and nothing has came up?
0
 
billelevAuthor Commented:
Nothing suspicious as in I have visually inspected AND I have scanned my machine and nothing has came up.
0
 
Russell_VenableCommented:
Interesting. Is this on a business or home Environment? This redirect is associated with TDSS Rootkit. Under every case scenario, UAC was disabled. In your case from one of the report files listed from DSS. You have UAC disabled.

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

Open in new window

Your DHCP server looks fine for what is listed. It looks like you have more of a older hijack trick. Specific with tricks used by TDL3 Rootkit. Download Gooredfix and see if that does removes the redirect from your browser. After this is run attempt your first test with firefox and see if it gets redirected and also please post the logs it outputs.
0
 
billelevAuthor Commented:
Hi...I ran this earlier in the week and it didn't solve the problem, nor this time unfortunately (I just experienced a redirect).

I've attached the log file.
GooredFix.txt
0
 
Russell_VenableCommented:
Ok, This is stealthed already... We definitely have a rootkit installed here. Have you taken precautions and made backup already? Have windows cd ready in case of failure and/or damages caused from this rootkit? If not I would backup all files and make sure you have installation backup. Since you are running on x86. Please download  GMER Antirootkit. When unzipped, check all check boxes except "IAT/EAT", run this scan, save the scan to file and post the log file here.

Next step is to see if the rootkit is actually hiding the injected file in the temp directory. For this you need to
goto %AppData%\..\Local\Temp and check for executables/DLL's in this directory.  

We are looking for files that mainly look like this.
 %AppData%\..\Local\Temp\ <6-7 letter&numbers>.tmp\<5-7 letters&numbers>.dll

Open in new window

0
 
billelevAuthor Commented:
Ah..That does not sound good.  If I make an installation backup, will that also copy the bad files also?
0
 
Russell_VenableCommented:
Honestly, its better to have a backup that has malware then nothing at all to work with. The trouble with removing malware like these rootkits get very difficult as they modify critical files in the system. As soon as you remove it things like internet connection, blue screens, etc happen. It's a cause and effect. Don't want to see your system damaged further by this malware and have no point of recovery.

Infact, W7 allows you to backup your files and also make a recovery disk as well as a repair disk. Usually it's the first thing you should do when you buy your computer is to make sure the software aspect is protected in a stored backup disk. Can't be touched by malware that way and clear sense of relief for the owner as well.
0
 
jacobstewartCommented:
Has combo fix been tried?  Can we get a hijack this log as well.
0
 
billelevAuthor Commented:
Here is the rootkit malware scan file.
Rootkit-Malware-Scan.log
0
 
Russell_VenableCommented:
Wow! That is a lot hooks!  Can you turn off McAfee's products and anvi as well. Redo the scan. I need to be sure it's not the antivirus software hooking explorer and firefox.
0
 
billelevAuthor Commented:
I am re-running the GMER scan.  While that takes place, I have attached the log of Combo Fix.
log.txt
0
 
Russell_VenableCommented:
Well its confirmed. This is a new way to hide malware going around. Before I get the results of GMER w/o antivirus/antimalware software running in the background. I will continue to check a few items.

Can you confirm that all 3 browsers are being redirected? If not which ones are not?

If firefox is being redirected. Uninstall Mozilla Firefox, Google Chrome, and delete these folders to cleanup. Everything in these folders must go.

%APPDATA%\mozilla
%LOCALAPPDATA%\mozilla
%programfiles%\Mozilla Firefox

%APPDATA%\Google
%LOCALAPPDATA%\Google

After this is accomplished, re-install Firefox, Chrome, and test to see if your still receiving redirects to Happili.
0
 
billelevAuthor Commented:
Here's the GMER Rootkit (without anti-virus running). The scan confirmed that some rootkit had been detected.

I will work on the your suggestions above now.
GMER-Rootkit-Malware-Scan.log
0
 
billelevAuthor Commented:
Firefox is definitely being redirected still (now to infomash.org).  I tested Chrome, and it didn't look like it was being redirected, but I use Firefox as my browser, so I have a bigger sample set).  I will remove both, the re-install.
0
 
Russell_VenableCommented:
Ok, This one is very persistent. Lets go for a reinstall of one of your antimalware products. Boot into safemode w/ networking and reinstall anvi, scan with aswmbr(Good reports of detection). Re-scan with anvi and look in these areas for these items, then re-test for redirection after you have rebooted.

Folders/Directory locations:
%AllUsersProfile%\<random>
%AllUsersProfile%\<random>\*.lnk

Open in new window

Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce <random>
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <random>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run <random>.exe
HKEY_CURRENT_USER\Software\<random>

Open in new window


Also add these to your hosts file.
Mapbird.info
Infomash.org
Happili.com
gimmeanswers.org/com

Open in new window

0
 
billelevAuthor Commented:
Here is the aswmbr log file after a safe mode scan.  I ran this without installing anvi as I didn't want it to interfere...I will not download anvi and run the scan.
aswMBR.txt
0
 
billelevAuthor Commented:
Okay, here's the aswMBR scan after running the Anvi scan again.

These all looked fine:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce <random>
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <random>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run <random>.exe

HKEY_CURRENT_USER\Software\<random> had a few random entries

Analog Devices > IFShare and SMax4PNP
AppDataLow
Clients > StartMenuInternet
Mozilla > Firefox > Extensions > C:\Users\<USER>\AppData\Local\{05159B29-79E7-11E1-826D-B8AC6F996F26}\
Redemption . .
Wget
Xenocode


I also modified the hosts file.

I should also mention that yesterday I did a complete reinstall of Firefox.  I've not been redirected since, but I guess that is no guarantee that the issue has been fixed.
aswMBR---after-Anvi-Scan.txt
0
 
Russell_VenableCommented:
Well, It sounds like it was part of the residual files left over from the infection. Most likely either overlay.xul, search plugins, or extensions. Seen a few variations. Do you log outbound traffic from a router? I would keep a eye out on its traffic and watch for incoming/outgoing connections just to be safe for about a week.

As far as the aswMBR log goes it looks fine. It did not detect any MBR modifications. As long as your not receiving redirects on the other browsers you should be good.
0
 
billelevAuthor Commented:
okay, thanks.  I will give it a week or so before I close this just in case anything comes up.

Should I remove the following registry entry, or just leave?

Mozilla > Firefox > Extensions > C:\Users\<USER>\AppData\Local\{05159B29-79E7-11E1-826D-B8AC6F996F26}\
0
 
Russell_VenableCommented:
Is that one empty or does that contain wget, redemption, etc?
0
 
billelevAuthor Commented:
All it contains is

Value Name: {05159B29-79E7-11E1-826D-B8AC6F996F26}

Value Data: C:\Users\<user>\AppData\Local\{05159B29-79E7-11E1-826D-B8AC6F996F26}\
0
 
Russell_VenableCommented:
Go ahead and delete it then. It's a orphaned folder.
0
 
billelevAuthor Commented:
It's been over 24 hours and no re-directs.  Fingers crossed!
0
 
Russell_VenableCommented:
Sounds good so far.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 15
  • 12
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now